amass

Execute an Amass subcommand

$ amass [intel|enum] [options]

$ amass -help

$ amass [intel|enum] -help

$ amass -version

amass subcommand [options] [domains]

-active
    Perform active recon including queries and crawling

-brute
    Enable dictionary-based brute force subdomain discovery

-d, --domains
    Target domain(s); repeatable for multiple

-passive
    Use only passive data sources (stealthy)

-o, --output
    Output file for discovered names

-w, --wordlist
    Path to wordlist for brute forcing

-config
    Path to config file (YAML/JSON)

-dir
    Output directory for database and files

-json
    Output in JSON format

-v
    Enable verbose logging

-debug
    Print debug information

-max
    Maximum DNS queries per second

-exclude
    File with IPs/subdomains to ignore

-rf, --resolvers-file
    File with list of DNS resolvers

-timeout
    Max time per enumeration in minutes

-ip
    Include IP addresses in output

-recursion
    Perform recursive enumeration

-list
    Input file with list of domains

-org
    Organization name for tracking

-version
    Print version information

Amass is an open-source reconnaissance and network mapping tool developed by OWASP for discovering external assets like subdomains, IP addresses, ASNs, and infrastructure details. It combines passive techniques (certificate transparency logs, web archives, DNS data sources) with active methods (brute-force, DNS queries, crawling) to provide comprehensive attack surface discovery.

Key strengths include wordlist-based brute forcing, permutation generation, multiple data sources (Rapid7, Shodan, AlienVault OTX), and a local database for deduplication and querying. Output supports formats like text, JSON, CSV for integration with tools like Maltego or custom scripts. Subcommands handle intel gathering, enumeration, visualization, and tracking.

Widely used in penetration testing, bug bounties, and red teaming, Amass uncovers hidden assets stealthily or aggressively. It respects rate limits and supports config files for customization. Installation via Go or Docker makes it accessible for Linux environments.

Not a standard Linux package; install via Go ("go install") or Docker. Resource-intensive with active mode; respect rate limits and legal boundaries. Requires root for some features like raw sockets.

Go: go install -v github.com/owasp-amass/amass/v4/...@master
Docker: docker run -v "$(pwd):/data" owasp/www-project-amass amass enum ...

amass enum -passive -d example.com -o results.txt
Passive subdomain enum for example.com, save to file.

enum: Enumerate subdomains.
intel: Gather passive intel.
viz: Visualize graph output.
db: Manage local database.
track: Monitor domains over time.

Created by Jeff Foley in 2016 as a personal tool. Joined OWASP in 2018 as official project. v3 (2020) introduced subcommands and DB; v4 (2023+) adds GraphQL API, better performance, new sources like FOFA and ZoomEye.

dig(1), host(1), dnsrecon, nmap(1), masscan(1)